Wednesday, 24 February 2016

@TripwireInc posted a brief article about my talk for @AbertayHackers and #SecuriTayV happening this Friday 26/Feb. For those attending, you will learn how to teach your brain to regenerate passwords instead of remembering them!

Let's cut to the chase. Despite the existence of a number of advanced authentication mechanisms, such as Single Sign-On (SSO), different types of Biometrics, multi-factor authentication, etc., the use of passwords is still the most popular means of authenticating users.

The need to generate, and hopefully to remember these passwords, has become even more demanding due to the rapid increase in the number of systems and online accounts being used.

Best practice is that these passwords need to be as strong as the assets they protect, and password management applications are supposed to be the most straightforward solution for storing them safely.

If you think about it for a moment, no one has ever actually taught you how to think when choosing a password. Due to the fact, it is generally considered a straightforward task, it is assumed that you actually know how to choose the appropriate password for protecting a particular asset (email, social media account, OS login, etc.).

Tuesday, 23 February 2016

Back in August 2015, Sysnet discussed the complexity of what the term CyberSecurity represents, especially in the context of today’s threat landscape. This complexity is not only constantly increasing but it is also expanding at an exponential rate. The risks involved demand constant attention and very good understanding of the new technologies being introduced onto the cyber defence ‘chessboard’.

Sysnet also explored the noticeable shift in the traditional roles of the CSO (Chief Security Officer) and the CIO (Chief Information Officer) which have changed a great deal over the past five years. Their focus on managing security by applying resources to the most crucial system components, in order to reduce the likelihood of a successful breach, is now considered an insufficient approach in the current environment of cyber threats. Threats are changing faster than traditional risk management approaches can cope with, and a more proactive and adaptive approach is needed for an effective cybersecurity strategy.

Wednesday, 17 February 2016

A critical vulnerability has been found in Glibc. The critical flaw affects nearly all Linux machines, as well as API web services and major web frameworks. Glibc is the GNU C library which was at the core of last year’s GHOST vulnerability.

The flaw, CVE-2015-7547, effects all Linux servers and web frameworks such as Rails, PHP and Python, as well as Android apps running Glibc. The vulnerability was discovered by researchers at Google and Red Hat and a patch has been made available. Google has released further information on the issue in its advisory.

It is strongly suggested to patch all effected systems immediately, as this vulnerability is considered critical and could be exploited for malicious reasons (allows remote code execution). More specifically, the vulnerability effects all versions of Glibc since version 2.9 and there are no temporary mitigations that can be implemented until Linux machines are patched.

Wednesday, 10 February 2016

Microsoft has released a number of security updates to address vulnerabilities across all of its Operating Systems. All the vulnerabilities were reported to Microsoft under a responsible disclosure agreement, thus, these are not believed to have been actively exploited by attackers.

MS16-012: An update to address two remote-code-execution flaws in Windows PDF Library and Reader for Windows 8.1, Windows 10 and Server 2012. These could allow attackers to run malicious code on an affected system by tricking users into opening a specially-crafted PDF file.

MS16-013: An update for a memory-corruption flaw that could allow a remote attacker to execute arbitrary code as the logged-in user by tricking a user into opening a specially crafted Journal file.

MS16-015: An update to patch 6 memory-corruption vulnerabilities in Microsoft Office, each of which could allow a remote attacker to run arbitrary code by tricking a user into opening a specially-crafted Office file.

Monday, 8 February 2016

Securi-Tay [1] is an Information Security conference held by the Abertay Ethical Hacking Society [2], and supported by the Abertay University in Dundee. The aim of the conference is to provide an opportunity to industry professionals, students and information security enthusiasts to attend and share knowledge and information. This year will be the fifth year the conference is taking place (hence the V) and it will be held on February 26th - 27th, 2016. Personally, I believe this conference offers a fantastic opportunity to students to meet and network with experts in the area of security, share information and have a first glance on how their future in the security industry can be like.

I was very pleased to get accepted to speak at the conference again this year and I am already looking forward to it. The talk is about passwords and more specifically on how to train your brain to "regenerate" different passwords for different accounts, instead of remembering them. I know that this is not very clear at the moment, but I promise you that everything will be explained during the presentation. This is something I started working more than 10 years ago. I actually published two papers on the subject, one paper describing the thought process and one paper on how to reverse the password generation process during a computer forensics investigation based on an individual's profile.

Monday, 1 February 2016

There are several websites available that offer temporary and disposable email addresses, which have become quite popular among Internet users today, as they provide a quick alternative to anyone who wishes for their email address to remain private when sending and receiving emails.

Some of these temporary and disposable email addresses are available only for a few minutes, while others remain publicly available for anyone to access once they have been created. The same goes for websites that offer access to publicly available mobile numbers for receiving text messages (SMS). There is a wide range of numbers available, from different countries.

Effectively, a user can register to an online service by using a publicly available mobile number and receive any verification texts online.

Some may argue that these temporary and disposable email addresses and SMS services provide some sort of privacy. That might be true, especially under specific circumstances, but do not confuse anonymity with privacy, and security.

Entering fake details while using a disposable email allows users to subscribe avoiding any future incoming communications from that particular website to their email or phone, but at what cost?